Witness the revolution
Written by Helen Yates
Regulators’ tougher stance on privacy and data will echo notification rules in the US and will drive much wider take-up of cyber insurance products. Helen Yates reports
The speed at which companies’ cyber exposures change and alter is one of the biggest challenges of this emerging risk. Once, it was only the large brand names and banking institutions deemed at risk of hacking and cyber espionage, now any business large or small is a potential target. And with evolving technology, IT security has moved beyond the realms of the company and even the mobile network.
Google Glass, Samsung Galaxy Gear smartwatch and Apple’s anticipated iWatch may still seem futuristic, but these wearable devices will soon be commonplace. At present, they are virtually undetectable by network management software, raising significant challenges for IT departments to effectively monitor them as their use increases. Many IT experts predict that wearable technology represents the net frontier in the BYOD revolution.
Recent events targeting Santander and Barclays and are reminders of how much is at stake for organisations operating in today’s electronic world. A gang of hackers stole £1.3m from Barclays by hijacking the bank’s computer system in September. One of the gang allegedly posed as an IT engineer to gain access and fit a device to a computer at a branch in Swiss Cottage that allowed the gang to access its network remotely.
Cyber liability is one of the biggest emerging risks facing organisations in the UK and around the world. In the UK, 93 per cent of large corporations and 76 per cent of small businesses experienced a data breach in the last year, according to PwC. The cost of security breach continues to rise, according to Ponemon, to £2.04m, up from £1.75m a year ago. Per capita, the average breach cost went up to £86 in 2012 from £79 in 2011.
Nearly every survey of corporate risk managers puts cyber among its list of top concerns. Airmic delegates identified cyber crime and data privacy as the most concerning risk facing their business, according to research carried out by ACE at this year’s Airmic conference. Some 54 per cent of risk managers and brokers participating ranked cyber risk ahead of D&O (25 per cent) and political violence and terrorism (17 per cent).
A major reason risk professionals are so concerned about the risk of networks going down or data being breached is the fact many companies are not indemnified for such an eventuality. Despite the importance risk managers attach to cyber risk, the overwhelming majority of those surveyed by ACE said that new regulations forcing them to inform clients about a data breach would be the primary driver of growth in cyber liability insurance.
“Cyber is climbing up the risk agenda and these results show there is real concern now, even before any legislation is introduced, about the strength of reputational risk posed by the threat of data breach,” says ACE’s cyber and technology underwriter Ian Ainslie. “These results confirm our view that when legislation does come into place, demand for cover will increase.”
US sets the pace
The cyber insurance market is still very much in its infancy in the UK. However, on the other side of the Atlantic the US it is much further along. This is largely due to regulation and in particular strict privacy regulations that mandate organisations much notify customers if their personal information is compromised. There, the market has grown to a size of US$1.3bn in gross premiums (according to the Betterley Report) and the products have developed to a point where most share common features and price their cover in a similar fashion.
Change is brewing in Europe thanks to the soon to be revised EU Data Protection Directive with a key vote on amendments imminently due to take place at the time of writing. In August, the e-Privacy Regulations came into force, requiring telcos and internet service providers (ISPs) to notify anyone affected of personal data breach incidents.
Under the new Data Protection Regulation companies in Europe will be required to report a breach within 24 hours of it occurring. There will also be larger fines for failure to comply. “Already in the UK, for telcos and ISPs there might be a requirement to notify individuals if the ICO thinks the breach is bad enough,” says Global head of fidelity at Allianz Global Corporate & Specialty Nigel Pearson. “So for certain telcos and ISPs that means they could potential incur some pretty significant costs.”
“That’s what may come into place when the directive eventually is enacted,” he continues. “To a certain extent evolving data protection laws are going to drive insurance take-up, but will the legislative requirements be the same as in the US? Will there be other issues that drive coverage outside the US? Personally I think as the legislative environment evolves globally, there will probably be a convergence on the main issues.”
At present the Information Commissioner’s Office (ICO) is able to fine organisations up to £500,000 for failing to prevent breaches, but these are likely to go up when the EU Data Directive is revised. And there can be much harsher penalties for financial firms. In 2010 the then Financial Services Authority fined Zurich Insurance £2.25m for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information.
The new laws surrounding data protection and privacy ultimately means the costs associated with a data breach are likely to increase substantially. This is coupled with the rapidly evolving threat environment and the daily reminder, thanks to media headlines, of the danger posed by hackers, criminal networks and even government-sponsored agencies. It is enough to keep many risk managers awake at night.
Pearson thinks the tightening up of data and privacy laws will ultimately drive more demand for cyber insurance in the future. “The new European Data Protection legislation is probably going to come into force in the next two or three years and that’s going to have an impact on companies outside the US. There is more demand for cover, it’s a small market at the moment there’s no question, but speaking to our brokers they’re seeing a significant uptick in the number of enquiries from non-US companies.”
“We have to accept there is a bit of a buying lifecycle, so if you talk to a client and a broker puts your quote up it might take anything from a few months to a year before they say, ‘Now it’s the time’,” he continues. “It will take a while but one thing is absolutely certain; the legal obligations being placed on data controllers will continue to grow from now on. This affects most companies all over the world, and that’s not something that is going to change.”
Insuring the threat
So many businesses in today’s world rely on technology to undertake their day-to-day business. And many hold sensitive data, from credit card information to personal health and passport details. Losing this information, losing access to IT networks and then having to publicly report such incidents is an exposure that is growing for companies from all business sectors and of all sizes.
The notification costs are one concern, but there is also business interruption and investigation costs to take into account. “When we’re looking at this we need to look at where cyber insurance has worked and that tends to be the US,” says Simon Calderbank, a cyber underwriter at QBE. “The business out there is driven by this regulatory piece with regard to notification. If you’re looking at US$20 to US$25 to notify each client and you’ve got 10,000 clients, you suddenly start sitting up.”
“There is also a potential of loss of profit if systems are down and you’re potentially paying out for forensic investigations – so that potential US$25,000 to notify has jumped up to US$50,000,” he continues. “And suddenly you go from very small numbers to quite significant numbers with regard to cost and claims and everything around cyber.”
“It is a huge...claim to be paying out – so having a policy that can provide that protection and assistance and hand-holding service is a benefit to clients, it’s just making clients realise what the risks are and how the policy can work for them that’s the challenge,” he concludes.
Firms may choose to buy protection for losses they incur as a result of a digital incident. Such first-party claims could include damage to IT equipment, the cost of restoring data and the cost of business interruption. But it is the third-party claims – involving the loss of sensitive customer data for instance – that can be significant and this is where more sophisticated liability products come into their own. Add-ons can include cover for regulatory defence and penalties, loss of reputation, cyber/privacy extortion and employee dishonesty.
Insurers specialising in cyber liability in the UK often emphasise that the product is more than just an indemnification for lost profits on either a first or third-party basis. Any cyber product worth its salt will also offer crisis management services and access to experts when a breach occurs. This includes PR, legal and forensic IT experts.
For many firms, one of the unknown quantities when a breach occurs is the impact that has on brand and reputation. Customers in the retail sector are unlikely to continue buying from a shop that has lost their credit card details for instance. This brings cyber insurance into the realm of reputational harm products which are also in their infancy. The impact on brand in the aftermath of a breach was apparent in many of the data breaches reported by UK firms in 2012, according to Ponemon, with fewer customers remaining loyal following an incident.
“Allianz has a reputation product which is a separate thing from cyber,” explains Pearson. “We have three public relations partners to manage the crisis on the insured’s behalf and they all support the cyber product as well. Any company that suffers a cyber incident will need to manage the media. The crisis management companies are very good for us because they have a lot of experience.”
As the UK cyber insurance market has developed and evolved, there is increasing commonality between the cover offered by the top players in the market. The key players include Lloyd’s and company market players such as Zurich, QBE, ACE European Group, AIG, Brit, Beazley, Barbican, Kiln, and Liberty International Underwriters. While most can quote up to around £10m, one or two insurers can offer significantly more capacity.
Arguably the best known and most commoditised product is Beazley Breach Response which has had a lot of take-up in the US market where it was first developed. Since 2009, it has helped more than 800 clients manage data breaches successfully. While not suitable for every insured, it deals well with the logistical challenge of having to notify customers when a breach has occurred. The company now sells over US$100m worth of cyber, its fastest growing new product.
From a risk manager’s perspective one of the challenges is assigning responsibility for cyber liability correctly within an organisation. Historically, IT security was the domain of the IT department and more recently chief information officer (CIO). These days, a joined-up approach is required with risk professionals working closely with senior IT managers, HR professionals and the board to address these issues. Risk managers must learn to speak the same language as their technology peers as they put in place measures to strengthen controls around technology.
But it is still early days for cyber underwriters and there is a significant learning curve attached, not just for risk managers but also for some intermediaries. “A lot of what I do at the moment is education – not only with clients but also with brokers – I describe is as the D&O of ten to 15 years ago,” says Calderbank. “Nowadays no director worth his salt is going to go to a company if there’s not D&O policy in place to protect him going forwards.”
“I do see it as a slow burn and one that will probably get a couple of injections along the way – namely changes in the law with regard to notifications of any incidents – but also from a contracting perspective,” he adds. “A lot more contracts these days need to have a cyber policy in place as well.”
Download this article as a PDF
Contact the editor